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1.2 


OVERVIEW 


Introduction 


Information technology (IT) security is the 
protection resulting from an integrated set of 
measures designed to ensure confidentiality of 
information electronically stored, processed or 
transmitted, the integrity of the information and 
the availability of systems and services. IT security 
standards have been developed to assist 
government organizations in implementing an 
effective IT security program. The document 
Technical Security Standards for Information 
Technology (TSSIT) addresses the "rings of security", 
i.e. (1) Organizational and Administrative, (2) 
Personnel, (3) Physical and Environmental, (4) 
Hardware, (5) Communications, (6) Software, and 
(7) Operations. TSSIT describes in detail the 
minimum security requirements that all computer 
systems must meet to protect data in 
accordance with its defined sensitivity. 


The guidelines provided below have been 
extracted from ISSIT and modified to reflect use 
of new technologies in office environments where 
small systems are used. Many of the guidelines 
are not unique to such an environment, but have 
been consolidated here for the convenience of 
the user. 


Background 


A significant difference in the use of large 
computers and small systems is that responsibility 
for and operation of the large computers is 
assigned to data centre management, while 
small system users have control of and 
responsibility for all aspects of the system 
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operation. Personnel using small computer systems 
usually do not have an information processing 
background and thus are often not aware of the 
vulnerabilities associated with the use of small 
systems. Consequently, sensitive data on small 
systems may be inadequately protected. 


Historically, protection of large computers, 
including the backup and recovery of data files, 
was the responsibility of data centre personnel. 
Theft of large systems or related peripherals, such 
as disks and tapes, was infrequent, primarily due 
to the physical size of these systems and the 
implementation of physical access controls at 
most data centres. With the current proliferation 
of computers in the office and the home, small 
systems are exposed to a new type of threat. The 
theft of the system Components and media 
(diskettes & hard disks) is motivated not by the 
data contained therein but by the value and 
attractiveness of the hardware itself. Another 
security concern associated with the use of small 
systems, especially those connected to a network, 
is the difficulty in controlling the unauthorized 
expansion of hardware and software products 
which may compromise, either accidentally or 
deliberately, the security of the system or network. 
When using small computer systems, the users 
themselves are required to perform all system 
operational functions, including ensuring the 
security of the system and the data stored 
therein. Consequently, it is imperative that users 
be educated not only in the use of the systems 
but also in the importance of proper security 
procedures. 


Scope 


The major thrust of the government's IT security 
standards is aimed at minicomputers and 
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mainframe installations. Since microcomputer- 
based systems, such as personal computers and 
word processors, do not have or require all the 
capabilities of a general purpose system, not alll IT 
security standards are applicable. 


These guidelines are applicable to systems 
functioning either as stand-alone units or 
interconnected to other systems and operating 
within an office environment without requiring 
extraordinary physical and environmental (e.g. air 
conditioning, raised flooring, or Power supply) or 
personnel (Computer operators) support. This 
definition includes standard office automation 
equipment, such as microcomputers (personal 
computers) and word processors, as well as local 
area networks (LAN)s consisting of small systems 
and small systems acting as remote terminals to 
large computers and data networks. Additionally, 
for those small systems connected to large 
computers or data networks, the security 
standards of the "host" system must be adhered to 
and, consequently, from the "host perspective", 
the small system must comply with the security 
standards detailed in the IT standards. Also 
included in this definition are laboratory and 
science and engineering systems used in the 
collection and manipulation of sensitive 
specialized data. 


Objective 


The purpose of these guidelines is to assist 
organizations, management and users with the 
identification, develooment and implementation 
of administrative, technical and procedural 
safeguards which are required for the protection 
of information being processed on small 
computer systems. It must be emphasized, 
however, that these guidelines are general in 


Small Systems Security Guidelines 


nature and will not cover all situations, equipment 
or types of interconnected systems. The degree of 
protection applied must be commensurate with 
the level of sensitivity of the information being 
processed or stored. A threat and risk assessment 
must be conducted to assess the threats and to 
develop cost-effective countermeasures. 
Departmental security staff can assist with this 
assessment process. These guidelines are meant 
to address security concerns of stand-alone, 
interconnected, and externally connected small 
computer systems. 
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DESIGNATED INFORMATION 


Introduction 


The guidelines in this chapter summarize the 
security measures required by organizations using 
small systems to process, store or transmit 
designated information. Chapter 3 contains 
additional safeguards for systems processing 
Classified information. 


Administration and Organization 


1. Accountability for the security of each 
system/network should be assigned. These 
functional responsibilities should be defined, 
documented and distributed. 


2. All hardware/software/communications 
additions, changes or deletions to the 
configuration of small systems and/or the 
network should be authorized by the 
individual responsible for the system and/or 
network. 


3. System security policies, procedures and 
standards should be developed, 
documented and distributed. 


4. The confidentiality, criticality of service, and 
backup requirements of the programs and 
data processed should be established in a 
"Statement of Sensitivity’. 


5. A threat and risk assessment shall be 
conducted. 


6. Rules and regulations (to be "signed off" by 
system users) associated with access to the 
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system resources should be developed and 
stipulate: 


that system and data resources shall be 
used only in direct support of authorized 
projects, together with explicit exceptions 
if required; 

responsibilities (accountability) respecting 
the use of user-IDs, passwords and access 
control items such as encryption keying 
material, keys, locks, and card access; 
the authority required to modify, delete or 
add to sensitive data or programs; 

the authority required to access any data 
or program entity not specifically owned 
or controlled by the person wishing access; 
responsibilities respecting the 
confidentiality of information on or relating 
to the system; 

responsibilities respecting the restriction of 
use and/or copying of 
copyright-protected programs and data; 
restrictions which limit an individual's 
access to specific locations, times, systems, 
files and programs (transactions); 

the authority required to modify, delete or 
add hardware, software or 
communications components; 
responsibilities resoecting the reporting of 
security infractions; 

the authority required to remove 
hardware, communications, or software 
products from the premises (both 
permanently and temporarily); 
responsibilities respecting the backup of 
critical programs and data; 

that all software and hardware be 
examined for malicious code, e.g. viruses, 
prior to initial use; and 

that any violation of the spirit or intent of 
the rules and regulations can lead to loss 
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of privilege or employment, disciplinary 
action or legal procedure. 


Records should be maintained recording the 
signed acknowledgement of each individual 
who is to be authorized access to the system 
that the rules and regulations associated with 
such access have been read. 


A security-incident-reporting procedure 
should be developed, documented and 
implemented. A definition of a security 
incident in the system environment should be 
developed. 


Contingency plans for systems should be 
established. 


. An annual security audit of the small systems 


and network should be conducted. 


2.3 Personnel 


i 


Enhanced reliability checks shall be 
conducted for all users who may have 
access to systems that process designated 
information. 


A small computer systems security awareness 
program should be developed for users and 
include information concerning the security 
vulnerabilities associated with the use of small 
computer systems. 


On termination or transfer of employment, 
procedures shall exist to: 


m revoke access privileges (e.g. user-IDs and 
passwords) to system and data resources, 
a retrieve sensitive material including access 
control items (e.g. keys and badges), and 
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x retrieve small systems-related hardware, 
software and documentation. 


4. A need-to-know profile should be established 
for all users. If should specify the users’ 
"access rights" in relation to information 
contained on the system or network. 
2.4 Physical and Environmental 


iF 


Where the storage media cannot be 
removed from the system, complementary 
physical and logical access control 
techniques should be implemented. Examples 
of these access controls are: 


gw entrance doors to the system facility are at 
least secured with approved doors and 
locking hardware; 

x walls of the room housing the equipment 
are constructed from the floor to the real 
ceiling; 

=» access to the system area is restricted to 
authorized personnel: 

w access to the system area is secured in 
the absence of personnel authorized for 
the system; 

ew signs fo demarcate the appropriate secure 
zone (e.g. Operations Zone) are 
prominently posted at all entrances to a 
facility (room) Nousing a number of the 
systems; 

es surveillance methods, such as motion 
detectors and alarms, are implemented 
for the area housing the equipment; 

a the entire system is stored in an 
appropriate security container when not in 
use; and 

a logical access to system resources is 
controlled using techniques such as 
encryption, passwords, and hardware/ 
software access controls. 
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2. Where removable media is used to store 
designated information: 


a the media should be stored in an 
appropriate security container when not in 
use; and 

= where confidentiality is a concern, the 
information should be encrypted. 


3. All designated information, whether it be on 
magnetic media or hardcopy documents, 
should be controlled whenever the system 
equipment is left unattended. 


4. Where processed information is particularly 
sensitive, procedures for securing printer 
ribbons should be documented and 
implemented. Printer ribbons, OPC cartridges, 
laser printer cartridges, and carbon paper 
should be: 


a physically secured during silent hours and 
controlled when the printer is left 
unattended; 

mw disposed of in an approved manner (e.g. 
by burning or shredding); and 

x suitably protected, including inventory 
control, while awaiting destruction. 


5. Procedures should be implemented for the 
disposal of sensitive hardcopy waste by such 
means as shredding, mulching or burning. 


6. Procedures should be implemented for the 
disposal of sensitive magnetic media (hard 
disk, floppy diskettes, magnetic tapes, optical 
disks) by such means as overwriting, 
degaussing or burning. 


7. Provisions for physical security at offsite 
storage facilities should be commensurate 
with that required at the primary site. 
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8. 


Where unauthorized removal of the system or 
its components is a concern, the system 
should be secured by the implementation of 
additional security measures. 


Hardware 


I: 


An inventory of all small systems should be 
maintained indicating the unique 
identification of the system and components, 
the location, and the individual responsible. 


An institutional standard hardware 
configuration should be established and 
maintained. 


Unless access to particularly sensitive data is 
deemed impossible, hardware maintenance 
personnel should be supervised by a 
knowledgeable person who understands the 
implications of the actions taken. 


Where equipment maintenance requires the 
exchange or release of components (tapes, 
disks, diskettes, memory, EPROMS) which may 
contain sensitive information, those 
components should not be released to the 
vendor unless the data has been rendered 
unintelligible by means of approved erasure 
or encryption. Where these methods cannot 
be used, the equipment shall be disposed of 
using Approved procedures. 


A power surge suppressor should be installed 
in those localities which have a history of 
frequent significant power fluctuations. 


Where static electricity may affect the 
integrity and reliability of the data and 
programs processed and stored on the 
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equipment, anti-static devices should be 
installed. 


Records of all hardware modifications, 
configuration changes and maintenance 
activities should be retained for a period of 
one year. 


To detect and prevent small systems from 
being infected by computer viruses, all newly 
acquired hardware, or hardware returned 
from maintenance, should be scanned for 
the existence of viruses. 


2.6 Communications 


hi 


For LANs, a configuration chart of the current 
data communications should be maintained. 


Where sensitive data is processed or stored 
on a system, or on a system which is part of a 
network, all communications with that system 
or network should be controlled. Note: 
Techniques such as voice recognition, smart 
card, government-approved encryption, 
dial-back units, and controlled user groups 
are recognized means of controlled 
Communications. 


Where unauthorized access is a concern, alll 
unsuccessful system access attempts should 
be recorded and reviewed. 


When transmitting information where data 
integrity is a concern, an integrity code 
should be included with the data to verify 
that the data has not been altered during 
transmission. 
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ot 


When transmitting particularly sensitive 
information, government-approved 
cryptography or other approved COMSEC 
measures shall be used unless a threat and 
risk assessment indicates otherwise. 


Software 


Li 


A current inventory should be maintained of 
all software 
(copyrighted/licensed/developed) and 
important (or shared) information. 


When users without a Common need-to-know 
share a system, logical access controls should 
be implemented to ensure only authorized 

users are permitted access to the information. 


Where systems or networks process 
information of differing sensitivities, the 
information should be stored on separate 
physical devices. Where this is not practical, 
or when particularly sensitive information is 
involved, government-approved encryption 
should be considered. 


Where the user identification is authenticated, 
the user authentication information should not 
be displayed, and should be protected from 
unauthorized access. 


Where data integrity is a concern, 
procedures should be implemented to ensure 
that: 


w changes to programs and data are 
authorized and controlled, and 
m acceptance tests are conducted. 


Where data integrity is a concern, controls 
should be implemented to ensure that the 
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integrity is maintained while the data is stored 
or processed on the system. Examples of such 
controls include batch totals, file record 
counts, file release dates and version 
numbers, block counts, check sums, hash 
totals, data edit routines, and file and 
message authentication coding. 


A system development life cycle (SDLC) 
methodology should be implemented where 
significant resources are used for the 
development of applications or, where 
warranted, due to the sensitivity of the data 
to be processed. The SDLC should ensure that: 


a security concerns are addressed, 

= test criteria are met prior to 
implementation of operational software, 

w change control procedures for operational 
software are implemented, and 

mw discrepancies for all data and software 
are reported, monitored and resolved. 


2.8 Operations 


ie 


A physical inventory of all storage media 
containing designated information should be 
carried out at least annually. 


Where user identification and authentication 
mechanisms are used, procedures should be 
implemented which: 


a control the issue, change, cancellation 
and audit of user identifiers and 
authentication mechanisms; and 
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ensure that authentication codes or 

passwords are: 

- generated, controlled and distributed so 
as to maintain the confidentiality and 
availability of the authentication code; 

- known only to the authorized user of the 
account; 

- pseudo-random in nature or vetted 
through a verification technique 
designed to counter triviality and 
repetition; 

- no less than five characters in length; 

- one-way encrypted; 

- excluded from unprotected automatic 
log-on processes; and 

- changed at least annually. 


3. To ensure integrity and availability of essential 
data and programs: 


backup copies of the essential information 
should be taken at regular intervals; and 
based on the criticality of the information 
and availability requirements, backup 
copies of the information should be stored 
at an offsite location. 


4. All storage media containing designated 
information, whether removable or not, 
should: 


be clearly marked to denote the highest 

designation stored on that media, and 

retain its marking until: 

- all information on the media has been 
downgraded, 

- the media has been sanitized using an 
approved procedure, or 

- the media has been disposed of using 
an approved procedure. 
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Where confidentiality is a concern, system 
display units and hardcopy production units 
should be positioned or equipped with 
protective material, e.g. limited vision screens 
or printer covers, such that the information 
displayed or processed cannot be readily 
viewed by unauthorized persons. 


Users of a system or network which processes 
sensitive information on non-removable 
media should be uniquely identified. This 
identification should be authenticated prior to 
users being given access to the system and 
data resources. 


Where equipment is to be removed from the 
premises on a temporary basis, control 
procedures should be implemented and 
include: 


the approval authority, 

the identity of the borrower, 

the equipment identification, 

a signed acknowledgement of 
acceptance and return of equipment, and 
ws arequirement to sanitize the equipment 
before and after the loan period. 


Where confidentiality is a concern, the 
contents of erasable media should be 
obscured using an approved technique 
before the media is re-used. 


Where confidentiality is a concern, 
automated and/or manual controls should be 
implemented to prevent unauthorized 
copying, transmission or printing. 


Where data integrity is a concern, control 
procedures should be implemented to: 


= ensure information to be entered or 
processed has been duly authorized, 


1S 
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a verify the accuracy of the information, 

a retain the identity of the individual(s) who 
authorized and entered the information, 
and 

a = maintain an audit trail of transactions 
entered on the system. 


The system should maintain a log of all 
security-relevant activities on the system, e.g. 
logins and file accesses. 


Procedures should be implemented to ensure 
that critical operational material and media 
resources are identified on a continuing basis 
to enable restoration of the minimum 
essential level of service following the loss of 
equipment or service. 


To detect and prevent small systems from 
being infected by computer viruses, the 
following precautions should be observed: 


x all media received from external sources, 
including licensed or copyright software, 
should be scanned for the existence of 
Viruses, 

a all original master copies of software 
should be stored on media with the 
write-protect security feature activated, 
and 

=» computer systems should be scanned for 
the existence of viruses after software and 
hardware maintenance. 


A contingency procedure should be 


developed detailing the course of action to 
be followed when a virus attack is suspected. 
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3.1 


3.2 


3.3 


3.4 


CLASSIFIED INFORMATION 


Introduction 


The guidelines in this chapter contain a summary 
of additional security measures required by 
organizations using small systems to process, store 
or transmit information classified Confidential or 
secret in the national interest. Too Secret 
information will require protective measures in 
addition to those described in this chapter, and 
advice and guidance can be obtained from the 
Departmental Security Officer, SEIT and CSE. 


Administration and Organization 


Procedures should be developed, documented 
and implemented to ensure that: 


1. the information is assigned a security 
Classification, 

2. the classification and declassification conform 
with the provisions of the Security Policy of 
the Government of Canada, and 

3. appropriate security clauses specifying 
security requirements are included in all 
contractual arrangements with other 
organizations. 


Personnel 


Personnel who have access to classified 
information shall be security screened to the 
highest classification level of information accessed. 


Physical and Environmental 


1. Access to system and data resources where 
classified data is processed or stored should 
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be restricted to those having a common 
need-to-know. 


2. The area housing a system on which classified 
information is stored on non-removable 
media should be secured in an approved 
manner. 


3. The area housing TEMPEST-compliant small 
systems equipment should be secured. 


4, Records should be kept of anyone accessing 
the area where the small systems containing 
classified information are located. 


5, Procedures for the disposal of classified 
hardcopy, storage media, printer ribbons and 
OPC cartridges should comply with the 
Security Policy of the Government of Canada. 


6. Areas where classified information is 
processed or stored should be established as 
a Security or a High Security Zone. Access 
privileges should be controlled and authorized. 


7. Installations or modifications of 
TEMPEST-compliant small systems should be 
approved by the COMSEC authority. 


Hardware 


Where equipment maintenance requires the 
exchange or release of components (tapes, disks, 
diskettes, memory, EPROMS) which contain 
Classified information, those components should 
not be released to the vendor unless the data has 
been rendered unintelligible by means of 
approved erasure techniques or encryption. 
Where this procedure cannot be used, the 
equipment shall be disposed of using approved 
procedures, 


Lignes directrices sur la sécurité des petits systemes 


3. 


3.1 


3.2 


3.3 


RENSEIGNEMENTS CLASSIFIES 


Introduction 


Les lignes directrices du présent chapitre 
contiennent un resumé des mesures de sécurité 
supplementaires que les organisations qui utilisent 
des petits systemes doivent mettre en oeuvre 
pour traiter, emmagasiner ou transmettre les 
renseignements classifies «confidentiel ou secret» 
dans I‘intérét national. Les renseignements «trés 
secret» nécessiteront des mesures de protection 
additionnelles, en plus de celles décrites dans le 
présent chapitre; on peut obtenir des conseils et 
des avis de l’agent de sécurité du ministére, de 
l"Equipe d’inspection et d’évaluation de la 
securité (EIES) et du Centre de la sécurité des 
télecommunications (CST). 


Administration et organisation 


On devrait élaborer des procédures, les 
documenter et les mettre en oeuvre afin que: 


1. l'on attribue une classification de sécurité a 
l‘information; 

2. la classification et la déclassification soient 
conformes aux dispositions de la Politique du 
gouvernement du Canada sur la sécurité; 

3. des clauses appropriées précisant les 
exigences en matiére de sécurité soient 
incluses dans tous les arrangements 
contractuels conclus avec d'autres 
organisations. 


Personnel 


Le personnel qui a accés aux renseignements 
classifiés doit faire l‘objet d’un filtrage de sécurité 
au plus haut niveau de classification des 
renseignements auxquels il a acces. 
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Sécurité matérielle et du milieu 


Lorsque des renseignements classifies sont 
traités ou emmagasinés, l‘'accés aux systemes 
et aux ressources en information devrait étre 
limité aux personnes qui ont le meme besoin 
de savoir. 


La zone abritant un systeme dans lequel des 
renseignements classifiés sont Conservés sur 
des supports non amovibles devrait étre 
protéegée selon une méthode approuvée. 


La zone qui abrite |‘'equipement des petits 
systemes TEMPEST devrait étre protegée. 


On devrait tenir des registres de toutes les 
personnes qui ont accés a la zone ou les 
petits systemes contenant des 
renseignements classifies sont situés. 


Les procédures relatives a la destruction de 
documents sur papier, de supports 
d’entreposage, de rubans d’imprimantes et 
de cartouches de contréle opérateur 
devraient étre conformes a la Politique du 
gouvernement du Canada sur la securite. 


Les zones dans lesquelles les renseignements 
classifies sont traités ou conservés devraient 
étre considérées comme des zones d’accés 
restreint (securité ou haute sécurité). Les 
privileges d’accés devraient étre contrdlés et 
autorisés. 


Les installations ou les modifications des petits 


systemes TEMPEST devraient étre approuvées 
par le responsable COMSEC. 
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a = retain its marking until: 
- all information on the media has been 
declassified, 
- the media has been sanitized using an 
approved procedure, or 
- the media has been disposed of using 
an approved procedure. 


5. When changing modes of operation (usually 
caused by change of common neead-to- 
know, Classification, or access rights), the 
following procedures are to be implemented: 


a data communication lines should be 
controlled, 

= memory should be sanitized, 

=» access paths to data should be 
established as required, and 

m a fresh copy of an appropriately 
protected version of the operating system 
should be utilized. 
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